berggren
commented
2 years ago Sounds good! Some prior work on this:
The basic login analyzer https://github.com/google/timesketch/blob/master/timesketch/lib/analyzers/login.py
A graph for win logins https://github.com/google/timesketch/blob/master/timesketch/lib/graphs/win_logins.py
The Windows operating system generates several Windows event logs related to remote authentication and RDP. RDP activities also result in Windows registry entries, files, process creation.
Create an analyzer that tags the events related to lateral movement and provide a table of lateral movement artifacts in a chronological order.